How public CCTV operators can avoid eye-watering fines under the GDPR [including video]

Avatar photo


Author Bio ▼

Adam Bannister is a contributor to IFSEC Global, having been in the role of Editor from 2014 through to November 2019. Adam also had stints as a journalist at cybersecurity publication, The Daily Swig, and as Managing Editor at Dynamis Online Media Group.
November 8, 2017

Sign up to free email newsletters


Whitepaper: Multi-residential access management – The move to digital

The General Data Protection Regulation (GDPR) comes into force across the EU – including the UK – from 25 May 2018.

With fines for non-compliance potentially being a staggering 79 times greater than under the existing data protection regime, the stakes for organisations in a range of sectors are enormous.

As security practitioners are well aware, a CCTV image featuring people counts as personal data just like a date of birth or someone’s marriage status or political views.

Jean-Philippe Deby, business development director for Europe at Genetec, very kindly shared his thoughts on the implications for CCTV operators and the wider security industry with IFSEC Global.

The conversation touched upon the importance of CCTV gap analyses, managing authorisations and privacy by design, as well as how the GDPR could accelerate adoption rates in the surveillance-as-a-service market.

(How physical access systems will be affected by GDPR was also topic under discussion during IFSEC 2017.)

IFSEC Global: What are the implications of the forthcoming GDPR on how organisations manage their CCTV systems?

Jean-Philippe Deby: I’ve heard that the UK was very vocal and implemented this regulation prior to Brexit. So even post-Brexit, from what I understand, the UK will still apply the regulation.

Effectively, as this is a regulation and not a directive, all EU countries have agreed to apply it. A fundamental notion of the European Privacy Regulation is that you need to get explicit consent when you acquire people’s data.

On top of the way they collect information, there’s now the notion of responsibility or accountability on how organisations hold this data. The regulation is telling them “this is what you know you can or can’t do”.

If they are irresponsible they will be fined. If they are hacked and data is compromised, they have 72 hours to disclose it to the public authorities – otherwise they will also be fined.

“Because of the lack of consent and the mass accumulation of data, public CCTV basically falls under the category of high-risk data”

As we speak, organisations as well as the industry as a whole, are reviewing the regulation to determine the steps that need to be taken in order to meet their obligations.

How CCTV comes into play is especially interesting for public CCTV.

As we know, it’s impossible to get the explicit consent of people being filmed. You can obviously announce that you have CCTV in the train station or store, which is how it’s done today, but the specific person being filmed can’t say “hey, I don’t want you to record my images.”

As part of the regulation there’s actually a notion that certain data constitutes a higher risk to a person’s rights, where organisations need to make a data protection impact assessment test. Because of the lack of consent and the mass accumulation of data, public CCTV basically falls under high-risk data.

GDPR Article 35 is where they mention the activities that make data high risk and the steps which an organisation needs to take.

IG: What are the implications of being classified as high risk for CCTV operators?

JPD: As I mentioned earlier, it’s a learning curve. There are so many different types of data that a lot of people are trying to understand how it’s going to impact their organisations, but basically there are two things that come up.

For high risk-data they will need what is called a DPO, a data protection officer, who will report directly to the CEO. It will be interesting to see how it impacts small and medium-sized businesses.

The other big thing that comes out is that, de facto, they need to build a system which implements what is called ‘privacy by design’. For example, encryption is a recommended method of increasing privacy around the information that has been collected.

Another area of focus should be the access to the information itself. Breaches don’t necessarily come from hackers; they can be internal, either intentional or unintentional.

So managing the process of identifying who is connecting to your system and who has access to the system is also key to privacy.

Who do you authorise, for example, to view live images or live recordings?

IG: The fines sanctioned by the GDPR are pretty steep…

JPD: It’s either a €20m fine or 4% of worldwide annual revenue – whichever is higher.

Many companies with retail branches have billions of dollars’ worth of revenue. I’ve been talking recently to a company that has about $11bn in sales – they could be fined $420m.

“Until now the argument for SaaS was around operational savings. With the GDPR it’s really around helping people meet their compliance obligations”

There is a process in place which means companies will first be warned before being fined, but really, it’s about good governance. Compare the cost of a breach or a company’s reputation versus the cost of implementing a properly designed and executed solution.

But I do believe that the EU will apply fines around data protection as they already apply large fines for other subjects. , Google was recently fined more than €2.7bn.

If an organisation isn’t careful about the way they handle data, I believe the EU will apply the full force of the regulation.

IG: It’s not hard to imagine court cases where organisations dispute accusations that their cyber-defences were not robust enough…

JPD: That’s true, but the onus will then be on the organisation to demonstrate the steps they have taken. Ultimately, it’s all about responsibility.

Under the GDPR, an organisation collecting personal information is the data controller and is responsible for handling the data.

The GDPR also introduces another player called a data processor. These companies can help data controllers in managing the collection of information by providing adequate infrastructure or services.

This is why companies like Microsoft are quite engaged with their cloud offering, because the data processor is almost synonymous with software as a service [SaaS].

Genetec has a solution called Stratocast, which is surveillance as a service. Small businesses can rely on our solution to encrypt their recorded CCTV, for example.

It monitors their systems 24 hours a day to detect hacks or any unusual activity via our utilisation of Microsoft Azure. It is really to help any businesses where video surveillance is not their core business and they either don’t want, or don’t have the resources to dedicate one of their employees to monitor the state of their CCTV systems.

IG: So the GDPR could really be a spur for the software as a service market?

JPD: Absolutely. Until now the argument was around operational savings. Here it’s really around helping people meet their compliance obligations on top of helping them with their operation. It’s an even stronger argument as to why they should be looking into those solutions.

IG: How does Genetec see its role in preparing the industry for the GDPR?

JPD: The GDPR is an incredible framework for something we’ve been pushing now for a few years: the security of security.

You cannot have trust without security. Cameras have become IoT devices that connect to IP networks like PCs or other IP devices. So we’re making sure tools and processes are available for customers to build the security policy they want to put in place, like encrypting information.

“A CCTV gap analysis is especially important for end users filming public areas. They are exposing themselves to high risk”

With certain partners – like Bosch for example – we even have the ability to encrypt from the camera. So it’s all about protecting access to data. It’s also about protecting the integrity of that data.

And with the GDPR we have the European Commission and the British Government putting in a legal framework, with financial penalties, that ties in very well with what we’ve already been pushing.

IG: Any tips for how businesses can strengthen their systems before the GDPR comes into force?

JPD: I think it’s important for companies to do gap analyses of their systems – not just CCTV but also how they are collecting information on their website, their CRMs and so forth. A CCTV gap analysis is especially important for end users who are filming public areas. They are exposing themselves to high risk.

But depending on what they have in place and who they talk to, they don’t necessarily have to do a full upgrade of their systems. There are ways to simply strengthen systems, but this is where one vendor will differentiate from the other.

Another thing is there’s a lot of ‘requests for proposals’ and ‘requests for information’ happening as we speak. If you were about to invest a large sum of money to upgrade your analogue system to IP, for example, all the people who are going to participate in your project – starting with the consultant, but also integrators and manufacturers – should explain their take around cyber security. This is part of our security of security message.

Again, if your system is monitoring public areas, there should be a chapter within your RFP to have a well explained position and solution to meet your compliance.

Even outside GDPR, it is good practice in any case to ensure you utilise the tools available.

Free Download: The Video Surveillance Report 2023

Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!

Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.


Related Topics

Notify of
Newest Most Voted
Inline Feedbacks
View all comments
Salvatore D\'Agostino
Salvatore D\'Agostino
September 6, 2017 4:59 pm

While encryption can protect information there still needs to be a consent based workflow for registration of devices that still is not there. When we see purpose specification and receipts built into security management system then the bar will be truly cleared.

September 13, 2017 10:36 am

How would this affect a very small business, a corner shop for example, that has a fixed (non tracking) cctv system to deter thefts etc. images recorded direct to a hard drive, no web access…….?

Simon Bishop
Simon Bishop
September 15, 2017 3:35 pm
Reply to  Adam Bannister

Hi Adam, I have to disagree – small businesses should be concerned- there is already a misconception that smaller businesses will have less to worry about than larger businesses but with the exception of having to appoint a DPO for larger businesses (over 250 employees) the rules and fines are the same. CCTV is a forgotten cousin of personal data – most businesses we speak to don’t even recognise it as personal data so getting up to speed can be a minefield. The ICO currently issued fines to small businesses for data breaches and not registering with them – there… Read more »

June 20, 2018 3:38 pm

Hi, I would like some advice please. Do live monitoring traffic cameras or to be more specific a web camera which captures a singular image once per minute and then continually overwritten classed as a CCTV or surveillance camera? I am confused as I have been told that the Traffic Management camera does not need to comply with CCTV policy as it is NOT a CCTV camera but a web camera even though it does take pictures?
Would you be kind enough to clarify if this camera should have a policy or at least a (PIA) privacy assessment?